© ISO Management Systems, www.iso.

org/ims

SPECIAL REPORT

C

INU ONT

ITY

ISO/PAS 22399 provides niiinternational best practice for preparedness and continuity management
Natural disasters, acts of terror, technology mishaps and environmental accidents have clearly demonstrated that no one is immune to intentional or unintentional crises. ISO/PAS 22399:2007 has been developed to address the global awareness that both the public and private sector must proactively prepare for unexpected, disruptive incidents.

by Stefan Tangen and Marc Siegel

In November 2007, ISO published a Public Available Specification which is the first internationally ratified document regarding preparedness and continuity management. ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management,

is an international consensus on best practices from the five main contributions made to the ISO Workshop on Emergency Preparedness held in Florence, Italy, in April 2006. This “ best of five” guideline draws its key elements and attributes from :

• NFPA 1600, Standard on Disaster Management and Business Continuity Programs of the US National Fire Protection Association (NFPA) ; • BS 25999-1, Business Continuity Management Part 1 : Code of Practice of the

ISO Management Systems – January-February 2008 5

• the work of the Japanese Industrial Standards Committee (JISC). they need to be ready to resume operations and services as rapidly as possible. crisis or disaster) so that they can manage and survive the incident and take the appropriate actions to ensure the organizations’ continued viability. The challenge is to determine how much risk is acceptable and how to cost-effectively manage risk while meeting the organization’s strategic and operational objectives.iso. ISO/PAS 22399 describes a holistic manage- ISO/PAS 22399 integrates preparedness and continuity into the culture and management practices of the organization to enhance its resilience. of Standards Australia (SA) . emergency. The ISO/PAS 22399 approach to preparedness and continuity management emphasizes business friendliness. However. effective security-. 6 ISO Management Systems – January-February 2008 . Therefore. accidental. organizations must proactively prepare for potential incidents and disruptions in order to avoid suspension of critical operations and services. It must be recognized that by implementing appropriate preventive controls and The guideline is a tool for public or private organizations ty. as well as mitigating and recovering from unavoidable disruptions. The purpose of the guideline is to provide a basis for understanding. businessto-business and organization-tocustomer/client dealings. ISO/PAS 22399 uses classical management approaches recognized as good business practices. Security and continuity management systems – Requirements and guidance for use of the Standards Institution of Israel (SII) . be it be it natural. ISO/ PAS 22399 follows the easily understood and widely applied management framework for identifying problems and their solutions. • HB 221. When crises occur. It is written with the flexibility necessary for the organization to adopt a system that supports its mission and objectives. and it provides a framework for minimizing their effect. Business Continuity Management. ment process that identifies potential impacts that threaten an organization. www. By building on the general concepts of Total Quality Management and the Plan-Do-Check-Act (PDCA) approach (see Figure 1). Today. Through a structured and systematic process. intentionally.© ISO Management Systems.org/ims SPECIAL REPORT British Standards Institution (BSI) . it is not possible to completely eliminate the likelihood of a disruption. principles and terminology for incident preparedness and operational continuity management (IPOCM) within the context of societal securi- The guideline is a tool to allow public or private organizations to consider the factors and steps necessary to prepare for an unintentionally. ISO/PAS 22399 establishes the process. an organization can reduce the residual risk of a disruptive event. or intentional. organizations can manage risk and uncertainty proactively. • SI 24001:2007. Built to be business friendly All organizations face a certain amount of uncertainty and risk. and/or naturally caused incident (disruption. risk treatments. developing and implementing incident preparedness and operational continuity within an organization. and to provide confidence in organization-to-community.

Before joining standardization. plans and programmes – definition of roles and responsibilities – communication strategies. He is co-author of ISO/PAS 22399.and continuityrelated risk management must address mitigation.org • Risk assessment and impact analysis • Development of management strategies. resource allocation.mail stefan.se Dr. he worked as a senior researcher at the Royal Institute of Technology in Stockholm.tangen@sis. Major attributes recognized as common elements in all five of the contributing documents include : PLAN Define and analyze a problem and identify the root cause ACT Standardize solution Review and define next issues DO Devise a solution Develop detailed action plan and implement it systematically CHECK Confirm outcomes against plan Identify deviations and issues Figure 1 – Plan-Do-Check-Act (PDCA). this is one of the major improvements of ISO/PAS 22399 over some of its contributing documents.org/ims CO UI NTIN TY SPECIAL REPORT preparedness. Act • Review and improvement. Robots and Robotic Devices. Swedish Standards Institute. ISO/PAS 22399 incorporates the key elements and attributes of preparedness and continuity management into a continual improvement management cycle (see Figure 2 overleaf). USA in the College of Business Administration and the Master’s Program in Homeland Security. ISO 14001:2004 (environmental management) and ISO/IEC 27001:2005 (information security management) standards to support consistent and integrated implementation and operation with related management standards. response. Dr. and has worked with numerous Swedish mirror committees. management support • Policy and management commitment Check • Performance assessment and evaluation and system maintenance. He is an Adjunct Professor at San Diego State University. Do • Development and implementation of operational and control strategies. and a project manager at SIS. operational/business continuity. procedures and programmes. Dr. Stefan Tangen is the Secretary of ISO technical committee ISO/TC 223. About the authors Plan • Project initiation: definition and scope. www. plans and programmes – allocation of human. com Web www.sis. Societal Security – Guideline for incident preparedness and operational continuity management. Indeed. and recovery in addition to prevention and deterrence.© ISO Management Systems. physical and financial resources. He initiated the concept and spearheaded the effort with the Standards Institution of Israel to develop the Israel National Standard : Security and Continuity Management Systems – Requirements and guidance for use.iso. ISO Management Systems – January-February 2008 7 .se Web www. The ISO/PAS 22399 approach is aligned with the globally accepted ISO 9001:2000 (quality management). including: – awareness. E-mail marc_h_siegel@yahoo. The approach of combining key elements and attributes into a continual improvement cycle is not new. Societal Security. E. Tangen holds a PhD in production engineering. He has previously been the Secretary of ISO/TC 184/SC 2.asisonline. plans. Marc Siegel serves as security management system consultant for ASIS International. competence and training strategies.

4 Corrective and preventive action 8.3 Competence. ISO/PAS 22399 received unanimous approval by the countries casting ballots.5 Maintenance 8.1 Prevention and mitigation programmes 6.4 IPOCM programmes 6. Continual improvement 6. including the British Standards Institution. teams representing the different national documents. in just a little over 15 months from the conclusion of the IWA.2 Legal and other requirements 6. leading to disparate national efforts to develop relevant standards.iso.3 Risk assessment and impact analysis 6. since the challenges of natural disasters and intentional disruptions do not recognize borders or jurisdictional boundaries. and thereby eliminate the confusion of separate national approaches.5 Operational control 7. and to the need to bring order to a fractured landscape of separate national standards. products and services – Preliminary determination of likely risk scenarios and consequences Universtity.org/ims SPECIAL REPORT One suitably designed management system can thus satisfy the requirements of all these standards.4. Within a few months.4. operation.4 Communications and warning 7. Policy 5. the need for preparedness and continuity standards has been globally recognized. roles. The fast-track mechanism of an ISO Publicly Available Specification was chosen to address this pressing market need.1 System evaluation 8. The unanimous vote of approval of ISO/PAS 22399:2007 was largely due to it being considered stronger than the sum of its parts. of Standards Norway.6 Internal audits and self assessments * IPOCM = Incident Preparedness and Operational Continuity Management. www.2 Building and embedding IPOCM in the organization’s culture 7. Thus the “ best of five” concept was born. Implementation and operation 7.4 Policy development 8.3 Testing and exercises 8. Thereafter. robust and cost-effective tool to assure the resilience of their organizations.2 Performance measurement and monitoring 8. However. Performance assessment 8. training and awareness 7. the Japanese Industrial Standards Committee. National Fire Protection Association/New York and develop the first draft of ISO/PAS 22399. the American National Standards Institute (ANSI) and the New York University International Center for Enterprise Preparedness (NYU InterCEP) organized and hosted an ISO International Workshop Agreement meeting to address this issue. In April 2006. including an endorsement by all the member countries of the Task Group. ISO/PAS 22399 is aligned with globally accepted ISO management standards START : Know your organization – Define scope and boundaries for IPOCM* programme – Identify critical objectives. 8 ISO Management Systems – January-February 2008 . the Task Group was able to fully agree on common principles 9.3 Management leadership and commitment 5.© ISO Management Systems. Ivar Jachwitz. functions. Management review 5. delegates from around the world endorsed the concept of using the contributions as a basis for developing an internationally recognized set of best practices for preparedness and continuity management. The document went through a review process by the member countries of ISO technical committee ISO/TC 223. Societal security. SA and Standards Institution of Israel. responsibility and authority 7.6 Finance and administration Figure 2 – Preparedness and continuity management flow diagram. Planning 6. Rather than endorse a single document.1 Resources. providing the private and public sectors with a flexible.2 Response management programmes 7. The recommendation was to develop a single globally recognized roadmap for preparedness and continuity management. and a final draft was crafted and submitted for ballot. Demonstrating a spirit of international cooperation on the important issue of emergency and disaster management. ISO/ TC 223 has achieved final agreement and approval on a uniform global vision of best practices for incident preparedness and continuity management. this has led to confusion as to which standard to apply. Enhancing crossjurisdictional protection For many years. joined a special Task Group led by Mr.

it was tasked with developing standards in the area of crisis and continuity management. Societal security ISO/PAS 22399 is the first deliverable of ISO/TC 223. emergency and disaster managers. ISO/TC 223 provides the only global forum to develop international standards. A level playing field of global consensus in preparedness and continuity management is key to protecting lives and helping affected communities rebound when disaster strikes. coordination and cooperation in resolving incidents • essential information and data requirements for command and control • inter. as well as cross-jurisdictional and multi-organizational interactions. It will develop the future ISO 22300 family of standards. At the 4th plenary meeting. security professionals.iso. is responsible for the secretariat and the committee is comprised of representatives from business.© ISO Management Systems. Swedish Standard Institute. it was decided to initiate the ISO/PAS 22399 as a DIS (Draft International Standard). Global trade and the crossborder nature of the challenges require international cooperation. which means that the committee aims to turn the document into a full International Standard as soon as possible. which is the cornerstone of the ISO process. procedures and systems needed to protect human and physical assets from intentional. thus giving them more resilience than those which are not prepared. Reactivated by the ISO Technical Management Board in 2006. The work of ISO/TC 223 will become increasingly important in coming years to help organizations and communities prepare for. government and non-governmental organizations from more than 50 countries. crises or disasters. www.and intra-organizational warning procedures • principles and procedures for exercises and testing • p u b l i c / p r i v a t e p a r t n e rships. SIS. respond to and recover from disruptive incidents that could escalate into emergencies. unintentional and naturally occurring disasters. industry. • ISO Management Systems – January-February 2008 9 . 14-16 November 2007. The committee will address issues before. It currently has the following work programme : • fundamentals and vocabulary • principles for command. held in The Hague. the first responder community. control. during and after a disruptive incident relevant to individual organizations. The committee also decided to prepare a new work item proposal for a management system within the area of societal security.org/ims CO UI NTIN TY SPECIAL REPORT ISO/TC 223.